[Samba] idmap_ad

Rowland Penny rpenny at samba.org
Tue Sep 20 13:30:15 UTC 2016 

On Tue, 20 Sep 2016 09:00:23 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:

> Hi
> 
> Thanks for the feedback.
> 
> 
> 
> I currently have 3 production domains.
> -  MYDOMAIN.COM is a  production Windows 2008 domain used to support
> MS Exchange  (but not file sharing.)
> -  TECH  -    Samba3 "classic" domain  with unix domain controllers
> that supports most users for authentication and file sharing.  The DC 
> machines are both Samba domains (for Windows clients) and KRB/LDAP 
> servers for Linux clients.

You could probably use the 'classicupgrade' tool to upgrade your
NT4-style domain, apart from the fact that you want to change the
domain name.

> - SALES -Small Win 2008 AD domain for a separate group.
> 
> I want to eventually  build a  TECH.MYDOMAIN.COM domain as a child 
> domain of MYDOMAIN.COM and migrate computers from the "classic" TECH 
> domain to the new TECH.MYDOMAIN.COM.

Child domains do not work (yet), unless I missed something ;-)
This shouldn't really be a problem, just set up a new Samba AD domain
and then import your users.

>      I will  want to preserve
> user ID numbers as much as possible.    Some of the user accounts go
> back 15 years in the production TECH domain, when local service
> accounts didn't go over uidNumber 100.

That explains the low numbers, but perhaps it might be better to bite
the bullet and start afresh.
 
>    For the moment I am just
> testing machines in the parent domain rather than add too many
> variables upfront.
> 
> " winbind nss info = templater"  was a typo, I did try    "winbind
> nss info = templates"
>

The smb.conf on the wiki page I pointed you at does work, so if you
are still having problems, can I suggest you post your test smb.conf.
 
> I fixed nsswitch.conf
> 
> 
> I think I had krb.conf set up properly with realm before joining the
> domain.
> 
> 
> 
> 
> 
>                   # cat /etc/krb5.conf
>                 [logging]
>                   default = FILE:/var/log/krb5libs.log
>                   kdc = FILE:/var/log/krb5kdc.log
>                   admin_server = FILE:/var/log/kadmind.log
> 
>                 [libdefaults]
>                   dns_lookup_realm = false
>                   ticket_lifetime = 24h
>                   renew_lifetime = 7d
>                   forwardable = true
>                   rdns = false
> 
> 
>                 default_realm = MYDOMAIN.COM
>                 [realms]
> 
> 
>                 MYDOMAIN.COM = {
>                    kdc = pdc.mydomain.com
>                    admin_server = pdc.mydomain.com
>                   }
> 
>                 [domain_realm]
> 
>                 mydomain.com = MYDOMAIN.COM
>                 .mydomain.com = MYDOMAIN.COM
>                 #
> 
>

This is mine, from the machine I am typing this on:

 [libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

> 
> But to be safe I did rejoin domain
> 
> 
> 
>             # net ads join -U administrator -S pdc.mydomain.com
>             Enter administrator's password:
>             Using short domain name -- MYDOMAIN
>             Joined 'LINUX1' to dns domain 'mydomain.com'
>             #
> 
>             # net ads testjoin
>             Join is OK
>             #
> 
> 
> 
> Set a uidNumber of 1000 for one of the user accounts and updated the 
> idmap range for MYDOMAIN to be from 100-1999.
> 
> Still not luck.
> 
>

How have installed samba ?
It is possible you now have a PAM problem
 
> Kinit indicates the machine account does exist
> 
>         # kinit linux1
>         Password for linux1 at MYDOMAIN.COM:  ^C
> 
> 
> Since mapping for the child domain is working it indicates that the 
> idmap_tdb back is OK and that the problem may be with idmap_ad ?
> 
> 
>         #smbd -b
>         ....
> 
>         --with Options:
>             WITH_ADS
>             WITH_AUTOMOUNT
>             WITH_DNS_UPDATES
>             WITH_PAM
>             WITH_PAM_MODULES
>             WITH_PROFILE
>             WITH_PTHREADPOOL
>             WITH_QUOTAS
>             WITH_SENDFILE
>             WITH_SYSLOG
>             WITH_WINBIND
> 
>         ...
>         Builtin modules:
>             vfs_posixacl auth_sam auth_winbind auth_domain
> auth_builtin vfs_default nss_info_template idmap_tdb idmap_passdb
> idmap_nss idmap_ldap
>         #
> 
>         Build Options:
>         ...
>             auth_netlogond_init
>             auth_samba4_init
>             auth_script_init
>             auth_server_init
>             auth_unix_init
>             auth_wbc_init
>             idmap_ad_init
>             idmap_adex_init
>             idmap_autorid_init
>             idmap_hash_init
>             idmap_rfc2307_init
>             idmap_rid_init
>             idmap_script_init
>             idmap_tdb2_init
> 
>         ....
> 
> 
> 
> I could presumably use idmap_ldap to maintain a consistent mapping 
> across machines.    Since file servers serve users from both Windows
> and Unix systems, it is important to make sure that the uidNumbers
> and gidNumbers are consistent across machines and between Unix and
> Samba.

Winbind can do this, it just need setting up correctly ;-)

> 
> 
> 
> I am a little hesitant to try recompiling samba because then I am not 
> sure if nsswitch is calling the correct winbind files.

It probably wouldn't, but agian these would need setting up, read the
Samba wiki, all the required info is there.

Rowland

More information about the samba mailing list